eqqn Security blog

CTF write-ups

Home

CISM

cism banner

So it’s been a few years since I obtained OSCP, where I mildly roasted CIS**/M/A/SCP type of certifications. Now I am Certified Information Security Manager. What changed?

In past couple years I’ve been working as a Security Engineer for manufacturing company, but my responsibilities were touching more of the governance areas than before. I’ve been always customer centric and assisted in pre-sales and support where I could, exposing me to contracts, regulations and 3rd party risk management.

In my current and former position, I am the only dedicated security staff on-site, meaning I get a variety of tasks and have to cover the whole department, or even a whole division. Even if all you did was DevSecOps or pentesting, you are likely to be exposed to security governance, policies, standards, because they are what drive the security efforts.

Recognizing the gaps

While my Masters’ degree course did have a module on IT Audit and norms (which was a blast), we are only taught to follow the standards blindly, treat laws as absolutes, missing out on important parts of how actual organizations work. Learning engineering concepts, Cloud security technologies, DevOps, helps with the engineering parts of my job, but in themselves do not explain the way management treats risk, compliance and other governance areas. Penetration testing, ethical hacking training are very useful to measure correctly the impact, learning to test systems and writing reports. However, demonstrating business impact is only a fraction of successful security work inside organization at higher levels, you also have to present business cases, feasibility and other things.

So how do I thrive and succeed in this new environment that I find myself in? You can only go so far with intuition alone. Short of getting an MBA, I was not gonna learn much about business, reporting lines, board interaction and steering comittees.

Opening new doors

I started getting interested in Security Mangement, and seemed to face either CISSP or CISM as a choice. Both come with 5 year experience requirement. After initial brush with ISC2 through Certified in Cybersecurity(CC) course I discovered ISC2 to be poor fit for me. I took issue with their messaging, using the training materials to preach their code of conduct, and advertise cybersecurity as a free money machine and a viable career option for anyone, with this one simple trick! (paying for certification). ISACA just seemed to be more to the point from the get-go, the materials were structured to test and enhance my knowledge in the key security management areas. They acknowledge that security roles are sometimes stretched out, job descriptions do not match and one has to wear many hats.

Another reason why the CISM or CISSP is well regarded - hiring managers can effectively outsource credential verification to ISACA/ISC2, as one needs to prove their 5-year industry experience to the panel.

As someone who started as a security engineer, I was frustrated about change management, certain gatekeeping or inaction and general dislike for compliance (cyberpunk?). The training proposes models that are oriented to business objectives, with security as an enabler, not the blocker, gatekeeper, control-everything, cover everything attitude. I still reserve right to be frustrated over aforementioned, but I learned to advocate better for the business interests, understand the responsibilities of compliance and legal and interact with these parts of organization better.

Manager may not necessarily mean managing people. It’s about owning a topic and being competent about it.

Thoughts on the material

I relied only on CISM QAE (Questions, Answers, Explanations) Database from ISACA. Since this is meant to be experience based certification, I already had a pretty good understanding of the subject matter over my 6 years of experience. The materials are divided into 4 categories:

While I would like to learn from a book or other structured material, instead of reverse engineering and “drilling” correct way to respond, it is enough to pass the test if you have worked in the domain.

Each of the categories is further divided into specific subjects, with some overlap in the areas. By going through the questions I maintained ~70% correct responses, and wrong responses made me reconsider the question or how it is phrased. This is where engineering biases were a bit counterproductive and led to frustration. Sometimes the questions lack context on purpose, or insinuate certain facts only after the answer is selected. Sometimes there is play on English words, which is not obvious : material uses “impact” 96% of the time, but then spices it up with “criticality” and “magnitude” when referring to the same concepts just to mess with you. “users” can mean end users, corporate users, internal users, and is variable. Luckily most of these problems were not so prominent during exam.

After I’ve passed the exam I also noted the “CISM ITEM DEVELOPMENT GUIDE” which explains guidelines how CISM exam questions should be written:

Remember that the CISM exam is an experience-based exam.

So perhaps rather than “teach”, it is meant to test your experience as a Security Manager.

CEO MINDSET

One thing that is perhaps more commonly taught in MBA than cybersecurity, is the risk management. CISM teaches that all the “higher imperatives” such as Legislation or Compliance are to be treated like any other type of risk. If the cost of achieving compliance is higher than the possible fine, or is weakly enforced, it is rational to take the risk.

Now maybe this type of mindset leads to breaches and data leaks that we see today, where financial interest prevails over any loss that reputational damage or non-compliance entails. This also helps understand regulation and fines structure employed by EU privacy and cybersecurity laws - making non-compliance prohibitively expensive, compliance being the more financially sound option in the risk equation.

The exam

For the record I’ve done some proctored exams beforehand via Pearson Vue (Azure certs) and survived OSCP 24h proctored test, but I was not prepared for PSI testing. I have made sure to read the exam registration guide, proctor guide, video guide but have not taken the tutorial because my test was on Monday morning, and tutorial is open only 2 days before test, but not 150 minutes before the test(????). Instead of taking tutorial, I was refreshing some questions and testing “adaptive training plan” of the QAE.

This led me to panicked scrambling when I discovered that infact the “recommended” browser, Chrome, is actually mandatory, because there is a special extension and that “system compatibility test” does not suffice to be ready for the exam. With official materials outdated, support articles irrelevant and incomplete. I also had to exercise caution while under pressure, not to download anything malicious off a poisoned search results. I was up and running with freshly downloaded chrome and the chrome extension needed to read the PSI link that downloads .exe file. This, naturally was not included in the exam guide, but only aluded as “Secure Browser” in bold, with no link whatsoever. This is also a recurring problem with the proctor, from the amount of search results and discussions in this topic.

The exam itself went fluently, and I completed it in a little over 2 hours with 1 break. The questions were different from the QAE, but posed in the same way and mostly from the concepts covered in the QAE.

Can a shift from engineering to mgmt be done?

There was a certain “guilt” when I was meddling in matters like legal, strategy, policy and spending time away from DevOps. But with CISM training I became more cognizant of how these areas relate to security. It’s easy to look at something and say “ it’s not an engineering problem”, “it’s organizational issue” , “we always do it this way”. Now I can tackle the said organizational issues, propose better operational models and remind the mission of certain parts of organization, which is to manage risk and support business.

luke-skywalker-peaceful-life

Bias always exist - where engineers see concrete solutions and tools, the ISM will see more abstract means like “data protection” and “controls”, non-technical means as well. Perspective in both definitely helps aligning engineering and organizational efforts.

Remaining certified

What remains to be seen, is how to maintain the certification over time, and whether that is harder and more expensive than achieving the cert. I like to go to 1-2 conferences a year and it might be enough (?) to have 20 CPE hours per year minimum, but I need 120 over 3 years.

ISACA’s online/live courses are a racket, at 75CHF for 3 CPE, putting 25chf per CPE. That’s 3000 chf to renew ( of course other offers, special CPE on demand courses exist… as member of ISACA you may get some discount but I already had distaste for this business model even before going for CISM).

CPE on demand is 70$ per CPE hour. Absolutely disgusting in my books, lets keep going.

Another “viable” option is to keep getting certs that grant CPE’s - CISSP, CISA ,CDPSA , you name it. Surely each of them is worth CPE’s , and you can keep running from the inevitable expiration while accumulating renewal fees and yearly fees for each? Only time will tell. Cybersecurity certification industrial complex is real.

I might look for best strategies to Acquire CPE’s, or write about my own experiences in a another post. So far using the ISACA journal quizzes netted me one CPE, which has decent quality articles. However answering the current quiz took me closer to two hours than one. Also members have access to FREE CPE webinars provided by ISACA, and so far it had decent material, also 1 CPE at a time.

Small update: Over 2 months I managed to accrue 17 CPE’s using ISACA member resources without additional costs - free webinars and quizzes. Not all management frameworks or topics are relevant or applicable so “learning” experience is diminishing over time.